+++ This bug was initially created as a clone of Bug #161095 +++ I ran across this issue in the Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064 http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237 It seems that by executing an XMLRPC server in ruby in this manner: s.add_handler(XMLRPC::iPIMethods("sample") It becomes possible to execute any arbitrary commands within the XMLRPC server.
Fixed in ruby-1.8.2-1.fc3.3 for FC3 and ruby-1.8.2-7.fc4.2 for FC4.